From fe12d020be71e50479bda8fea684d7ed38e2b6e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Deckert?= Date: Tue, 13 Apr 2021 19:07:06 +0200 Subject: [PATCH] zabbix appliance --- privacyidea/Makefile | 91 +++++++++++ privacyidea/appliance/02firstboot.start | 148 ++++++++++++++++++ privacyidea/appliance/MySQL-Backup.sh | 32 ++++ privacyidea/appliance/backup.service | 8 + privacyidea/appliance/backup.timer | 12 ++ privacyidea/appliance/cert-renew.service | 8 + privacyidea/appliance/cert-renew.sh | 52 ++++++ privacyidea/appliance/cert-renew.timer | 12 ++ privacyidea/mariadb/my.cnf.root | 11 ++ privacyidea/package.accept_keywords | 29 ++++ privacyidea/package.use | 15 ++ privacyidea/privacyidea.cfg | 2 + privacyidea/world | 5 + zabbix/Makefile | 61 +++++--- zabbix/appliance/02firstboot.start | 134 ++++++++++------ zabbix/appliance/MySQL-Backup.sh | 32 ++++ zabbix/appliance/backup.service | 8 + zabbix/appliance/backup.timer | 12 ++ zabbix/appliance/cert-renew.service | 8 + zabbix/appliance/cert-renew.sh | 30 +--- zabbix/appliance/cert-renew.timer | 12 ++ zabbix/mariadb/my.cnf.root | 4 + ...ckage.keywords => package.accept_keywords} | 0 23 files changed, 638 insertions(+), 88 deletions(-) create mode 100644 privacyidea/Makefile create mode 100755 privacyidea/appliance/02firstboot.start create mode 100755 privacyidea/appliance/MySQL-Backup.sh create mode 100644 privacyidea/appliance/backup.service create mode 100644 privacyidea/appliance/backup.timer create mode 100644 privacyidea/appliance/cert-renew.service create mode 100755 privacyidea/appliance/cert-renew.sh create mode 100644 privacyidea/appliance/cert-renew.timer create mode 100644 privacyidea/mariadb/my.cnf.root create mode 100644 privacyidea/package.accept_keywords create mode 100644 privacyidea/package.use create mode 100644 privacyidea/privacyidea.cfg create mode 100644 privacyidea/world create mode 100755 zabbix/appliance/MySQL-Backup.sh create mode 100644 zabbix/appliance/backup.service create mode 100644 zabbix/appliance/backup.timer create mode 100644 zabbix/appliance/cert-renew.service create mode 100644 zabbix/appliance/cert-renew.timer rename zabbix/{package.keywords => package.accept_keywords} (100%) diff --git a/privacyidea/Makefile b/privacyidea/Makefile new file mode 100644 index 0000000..10a7c95 --- /dev/null +++ b/privacyidea/Makefile @@ -0,0 +1,91 @@ +PIUSER = $(CHROOT)/var/tmp/piuser +02firstboot = $(CHROOT)/etc/local.d/02firstboot.start +cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh +apache_conf = $(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf.orig +pi_log = $(CHROOT)/var/log/privacyidea/privacyidea.log +radius_dict = $(CHROOT)/etc/raddb/dictionary.orig +radius_module = $(CHROOT)/etc/raddb/mods-enabled/perl-privacyidea +radius_site = $(CHROOT)/etc/raddb/sites-enabled/privacyidea + +systemd-units: appliance/MySQL-Backup.sh appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer + cp appliance/MySQL-Backup.sh $(CHROOT)/usr/local/bin/ + cp appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer $(CHROOT)/etc/systemd/system/ + +$(PIUSER): + -RUN useradd --system --comment="created from appliance building - privacyidea user" --home-dir="/var/lib/privacyidea/home" --shell="/sbin/nologin" --no-create-home --uid 605 --user-group privacyidea + touch $(PIUSER) + +$(02firstboot): appliance/02firstboot.start + mkdir -p $(CHROOT)/etc/local.d + cp $< $@ + touch $(CHROOT)/02firstboot + +$(cert-renew.sh): appliance/cert-renew.sh + mkdir -p $(CHROOT)/etc/ssl + cp $< $@ + +$(apache_conf): $(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf + sed -i 's:APACHE2_OPTS=\":APACHE2_OPTS=\"-D WSGI :' $(CHROOT)/etc/conf.d/apache2 + + mv $(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf $(apache_conf) + # vor Zeilen einfügen: + sed '/<\/VirtualHost>/Q' $(apache_conf) >$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf + echo " " >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf + echo " Require all granted" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf + echo " Options FollowSymLinks" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf + echo " AllowOverride None" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf + echo " " >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf + echo "" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf + echo " WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf + echo " WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=%{GROUP} user=privacyidea" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf + echo " WSGIProcessGroup privacyidea" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf + echo " WSGIPassAuthorization On" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf + echo "" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf + grep -A 9999 '<\/VirtualHost>' $(apache_conf) >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf + + touch $(apache_conf) + +$(pi_log): + touch $(CHROOT)/var/log/privacyidea/privacyidea.log + RUN chown privacyidea:root /var/log/privacyidea/privacyidea.log + +$(radius_dict): $(CHROOT)/etc/privacyidea/dictionary + if ! test -e $(radius_dict); \ + then mv $(CHROOT)/etc/raddb/dictionary $(radius_dict); \ + fi + cp -f $(CHROOT)/etc/privacyidea/dictionary $(CHROOT)/etc/raddb/dictionary + RUN chown root:radius /etc/raddb/dictionary + chmod 640 $(CHROOT)/etc/raddb/dictionary + touch $(radius_dict) + +$(radius_module): $(CHROOT)/etc/privacyidea/freeradius3/mods-perl-privacyidea + cp $(CHROOT)/etc/privacyidea/freeradius3/mods-perl-privacyidea $(CHROOT)/etc/raddb/mods-available/perl-privacyidea + rm $(CHROOT)/etc/raddb/mods-enabled/eap + ln -s ../mods-available/perl-privacyidea $(radius_module) + +$(radius_site): $(CHROOT)/etc/privacyidea/freeradius3/privacyidea + cp $(CHROOT)/etc/privacyidea/freeradius3/privacyidea $(CHROOT)/etc/raddb/sites-available/privacyidea + RUN chown root:radius /etc/raddb/sites-available/privacyidea + chmod 640 $(CHROOT)/etc/raddb/sites-available/privacyidea + rm $(CHROOT)/etc/raddb/sites-enabled/* + ln -s ../sites-available/privacyidea $(radius_site) + +$(CHROOT)/var/lib/mysql: mariadb/my.cnf.root + # MariaDB-Konfiguration ($$, weil make ein $ entfernt) + sed -i "s/^character-set-server.*$$/character-set-server = utf8mb4/" $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + echo >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + echo "collation-server = utf8mb4_general_ci" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + echo "transaction_isolation = READ-COMMITTED" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + echo "binlog_format = ROW" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + echo "expire_logs_days = 3" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + echo "innodb_file_per_table = 1" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + echo "innodb_large_prefix = on" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + cp mariadb/my.cnf.root $(CHROOT)/root/.my.cnf + chmod 0600 $(CHROOT)/root/.my.cnf + rm -rf $(CHROOT)/var/lib/mysql/* + RUN bash -c 'yes gentoo | emerge --config dev-db/mariadb' + + +preinstall: $(PIUSER) + +postinstall: systemd-units $(apache_conf) $(02firstboot) $(cert-renew.sh) $(pi_log) $(radius_dict) $(radius_module) $(radius_site) $(CHROOT)/var/lib/mysql diff --git a/privacyidea/appliance/02firstboot.start b/privacyidea/appliance/02firstboot.start new file mode 100755 index 0000000..a711bf7 --- /dev/null +++ b/privacyidea/appliance/02firstboot.start @@ -0,0 +1,148 @@ +#!/bin/bash + +# variables +LABEL="DATA" +DATABASE_PASS=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16) +PI_SECRET_KEY=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16) +PI_PEPPER=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16) +ADMIN_PASS="privacyidea" +TLD="example.com" +HOST="privacyidea" +ORGNAME="privacyIDEA example" + +# start +set -e + +[ -e /01firstboot ] && exit 0 +[ -e /02firstboot ] || exit 0 + +# privacyIDEA configuration +if [ ! -d "/$LABEL/etc/privacyidea" ]; then + echo 'Create privacyIDEA configfile...' + mkdir -p /$LABEL/etc/privacyidea + chown privacyidea /$LABEL/etc/privacyidea + cp /etc/privacyidea/pi.cfg /$LABEL/etc/privacyidea/pi.cfg.orig + mv /etc/privacyidea/pi.cfg /$LABEL/etc/privacyidea/pi.cfg + ln -s /$LABEL/etc/privacyidea/pi.cfg /etc/privacyidea/pi.cfg + sed -i "s/^SUPERUSER_REALM = .*/SUPERUSER_REALM = ['admin']/" /$LABEL/etc/privacyidea/pi.cfg + sed -i "s/^SQLALCHEMY_DATABASE_URI = .*/SQLALCHEMY_DATABASE_URI = 'mysql:\/\/pi:$DATABASE_PASS@localhost\/pi'/" /$LABEL/etc/privacyidea/pi.cfg + sed -i "s/^SECRET_KEY = .*/SECRET_KEY = '$PI_SECRET_KEY'/" /$LABEL/etc/privacyidea/pi.cfg + sed -i "s/^PI_PEPPER = .*/PI_PEPPER = \"$PI_PEPPER\"/" /$LABEL/etc/privacyidea/pi.cfg + sed -i "s/^PI_ENCFILE = .*/PI_ENCFILE = '\/etc\/privacyidea\/enckey'/" /$LABEL/etc/privacyidea/pi.cfg + sed -i "s/^PI_AUDIT_KEY_PRIVATE = .*/PI_AUDIT_KEY_PRIVATE = '\/etc\/privacyidea\/private.pem'/" /$LABEL/etc/privacyidea/pi.cfg + sed -i "s/^PI_AUDIT_KEY_PUBLIC = .*/PI_AUDIT_KEY_PUBLIC = '\/etc\/privacyidea\/public.pem'/" /$LABEL/etc/privacyidea/pi.cfg + echo "SQLALCHEMY_TRACK_MODIFICATIONS = False" >> /$LABEL/etc/privacyidea/pi.cfg + + echo 'Create privacyIDEA encryption and audit keys...' + rm -rf /etc/privacyidea/enckey + pi-manage create_enckey + mv /etc/privacyidea/enckey /$LABEL/etc/privacyidea/enckey + chown privacyidea /$LABEL/etc/privacyidea/enckey + ln -s /$LABEL/etc/privacyidea/enckey /etc/privacyidea/enckey + + rm -rf /etc/privacyidea/public.pem /etc/privacyidea/private.pem + pi-manage create_audit_keys + mv /etc/privacyidea/private.pem /$LABEL/etc/privacyidea/private.pem + mv /etc/privacyidea/public.pem /$LABEL/etc/privacyidea/public.pem + chown privacyidea /$LABEL/etc/privacyidea/*.pem + ln -s /$LABEL/etc/privacyidea/private.pem /etc/privacyidea/private.pem + ln -s /$LABEL/etc/privacyidea/public.pem /etc/privacyidea/public.pem +else + if [ ! -L /etc/privacyidea/pi.cfg ]; then + rm -rf /$LABEL/etc/privacyidea/pi.cfg.orig + mv /etc/privacyidea/pi.cfg /$LABEL/etc/privacyidea/pi.cfg.orig + else + rm -rf /etc/privacyidea/pi.cfg + fi + ln -s /$LABEL/etc/privacyidea/pi.cfg /etc/privacyidea/pi.cfg + + rm -rf /etc/privacyidea/enckey + ln -s /$LABEL/etc/privacyidea/enckey /etc/privacyidea/enckey + + rm -rf /etc/privacyidea/public.pem /etc/privacyidea/private.pem + ln -s /$LABEL/etc/privacyidea/private.pem /etc/privacyidea/private.pem + ln -s /$LABEL/etc/privacyidea/public.pem /etc/privacyidea/public.pem +fi + + +# Database +systemctl stop mariadb +if [ ! -d "/$LABEL/var/lib/mysql/pi" ]; then + echo 'Initialize MariaDB...' + mkdir -p "/$LABEL/var/lib" + rm -rf "/$LABEL/var/lib/mysql" + if [ ! -L /var/lib/mysql ]; then + rm -rf "/$LABEL/var/lib/mysql.orig" + cp -a "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig" + mv "/var/lib/mysql" "/$LABEL/var/lib/mysql" + ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql" + elif [ -d "/$LABEL/var/lib/mysql.orig" ]; then + cp -a "/$LABEL/var/lib/mysql.orig" "/$LABEL/var/lib/mysql" + rm -rf "/var/lib/mysql" + ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql" + else + echo '### ERROR initialize database !!! ###' + exit 1 + fi + systemctl start mariadb + sleep 5 + + echo 'Create privacyIDEA database...' + mysql -u root -e "CREATE USER 'pi'@'localhost' IDENTIFIED BY '$DATABASE_PASS'" + mysql -u root -e "CREATE DATABASE pi DEFAULT CHARACTER SET latin1 COLLATE latin1_swedish_ci;" + mysql -u root -e "GRANT ALL PRIVILEGES ON pi.* TO 'pi'@'localhost' IDENTIFIED by '$DATABASE_PASS';" + mysql -u root -e "FLUSH PRIVILEGES;" + + pi-manage createdb + pi-manage admin add -p "$ADMIN_PASS" admin + +else + echo 'Start MariaDB...' + if [ ! -L /var/lib/mysql ]; then + rm -rf "/$LABEL/var/lib/mysql.orig" + mv "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig" + else + rm -f "/var/lib/mysql" + fi + ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql" + systemctl start mariadb +fi + +if [ -x "/$LABEL/etc/ssl/cert-renew.sh" ]; then + # angepaßtes Zertifikat vorhanden (kein example) + if [ ! -L /etc/ssl/cert-renew.sh ]; then + rm -f "/$LABEL/etc/ssl/cert-renew.sh.orig" + mv "/etc/ssl/cert-renew.sh" "/$LABEL/etc/ssl/cert-renew.sh.orig" + else + rm -f "/etc/ssl/cert-renew.sh" + fi + ln -s "/$LABEL/etc/ssl/cert-renew.sh" "/etc/ssl/cert-renew.sh" +else + echo 'Create example certificate...' + mkdir -p "/$LABEL/CERTS/KEYS/" + mkdir -p "/$LABEL/CERTS/$HOST.$TLD" + echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem" + cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem" + touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem" +fi + +rm -rf /etc/ssl/apache2 +mkdir -p /etc/ssl +ln -sf "/$LABEL/etc/ssl/apache2" "/etc/ssl/apache2" + +/etc/ssl/cert-renew.sh + +systemctl enable mariadb +systemctl enable freeradius +systemctl enable apache2 + +systemctl restart freeradius +systemctl restart apache2 + +rm /02firstboot diff --git a/privacyidea/appliance/MySQL-Backup.sh b/privacyidea/appliance/MySQL-Backup.sh new file mode 100755 index 0000000..19ccfc9 --- /dev/null +++ b/privacyidea/appliance/MySQL-Backup.sh @@ -0,0 +1,32 @@ +#!/bin/bash +PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" + +DIR="/DATA/Backup/MySQL" + +if [ -z $1 ]; then + echo "database name missing! use --all for all db's" + exit 1; +elif [ $1 = '--all' ]; then + echo "full backup" + for i in `mysqlshow --defaults-file=/root/.my.cnf | awk '{print $2}' | grep -v Databases`; do + if [ "$i" != "information_schema" ] && [ "$i" != "performance_schema" ]; then + if test -f ${DIR}/${i}.sql; then + echo "Move ${DIR}/${i}.sql to ${DIR}/${i}.sql.1" + mv ${DIR}/${i}.sql ${DIR}/${i}.sql.1 + fi + echo "dump ${i} to ${DIR}/${i}.sgl" + mysqldump --defaults-file=/root/.my.cnf --single-transaction --events --opt -QF -r${DIR}/${i}.sql $i + chmod 600 ${DIR}/${i}.sql + fi + done; +elif [ -n $1 ]; then + echo "Starting backup of $1" + if test -f $DIR/$1.sql; then + echo "Move $DIR/$1.sql to $DIR/$1.sql.1" + mv ${DIR}/${1}.sql ${DIR}/${1}.sql.1 + fi + mysqldump --defaults-file=/root/.my.cnf --single-transaction --opt -QF -r${DIR}/${1}.sql $1 + chmod 600 ${DIR}/${1}.sql +fi +echo "Done" +exit 0; diff --git a/privacyidea/appliance/backup.service b/privacyidea/appliance/backup.service new file mode 100644 index 0000000..13ca921 --- /dev/null +++ b/privacyidea/appliance/backup.service @@ -0,0 +1,8 @@ +[Unit] +Description=execute backup tasks +RefuseManualStart=no +RefuseManualStop=yes + +[Service] +Type=oneshot +ExecStart=/usr/local/bin/MySQL-Backup.sh --all diff --git a/privacyidea/appliance/backup.timer b/privacyidea/appliance/backup.timer new file mode 100644 index 0000000..ec59929 --- /dev/null +++ b/privacyidea/appliance/backup.timer @@ -0,0 +1,12 @@ +[Unit] +Description=execute backup tasks +RefuseManualStart=no +RefuseManualStop=no + +[Timer] +Persistent=false +OnCalendar=Sun *-*-* 02:19:00 +Unit=backup.service + +[Install] +WantedBy=default.target diff --git a/privacyidea/appliance/cert-renew.service b/privacyidea/appliance/cert-renew.service new file mode 100644 index 0000000..59ec86d --- /dev/null +++ b/privacyidea/appliance/cert-renew.service @@ -0,0 +1,8 @@ +[Unit] +Description=renew certificates from git store +RefuseManualStart=no +RefuseManualStop=yes + +[Service] +Type=oneshot +ExecStart=/etc/ssl/cert-renew.sh diff --git a/privacyidea/appliance/cert-renew.sh b/privacyidea/appliance/cert-renew.sh new file mode 100755 index 0000000..a17939e --- /dev/null +++ b/privacyidea/appliance/cert-renew.sh @@ -0,0 +1,52 @@ +#!/bin/bash + +HOST="privacyidea" +TLD="example.com" +FQDN="$HOST.$TLD" +LABEL="DATA" + +CERT_DIR=/$LABEL/CERTS +CERT_APACHE=/$LABEL/etc/ssl/apache2 +GETREPO="" +GETUSER="" +GETPASS="" + +function getCurrentVersion() { +# Get hash from latest revision + git log --format=format:%H -1 +} + +cd $CERT_DIR + +if [ -z "$GETREPO" ]; then + GIT_REVISION=0 + GIT_NEW_REVISION=1 + cd $FQDN +elif [ ! -d "$FQDN" ]; then + GIT_REVISION=0 + git clone "https://$GETUSER:$GETPASS@$GETREPO" + cd $FQDN + GIT_NEW_REVISION=$(getCurrentVersion) +else + cd $FQDN + GIT_REVISION=$(getCurrentVersion) + git commit -m "CRON: auto commit" + git fetch + git merge origin/master -m "Auto Merge" + GIT_NEW_REVISION=$(getCurrentVersion) +fi + +echo "old: $GIT_REVISION" +echo "new: $GIT_NEW_REVISION" + +if [ $GIT_REVISION != $GIT_NEW_REVISION ] +then + echo "Update Apache certificate..." + mkdir -p $CERT_APACHE + cp $CERT_DIR/$FQDN/$FQDN-fullchain.pem $CERT_APACHE/server.crt + cp $CERT_DIR/KEYS/$FQDN-key.pem $CERT_APACHE/server.key + echo "Restarting Apache..." + systemctl is-active --quiet apache2 && systemctl restart apache2 +fi + +exit 0 diff --git a/privacyidea/appliance/cert-renew.timer b/privacyidea/appliance/cert-renew.timer new file mode 100644 index 0000000..fa2ee54 --- /dev/null +++ b/privacyidea/appliance/cert-renew.timer @@ -0,0 +1,12 @@ +[Unit] +Description=renew certificates from git store +RefuseManualStart=no +RefuseManualStop=no + +[Timer] +Persistent=false +OnCalendar=Sun *-*-* 04:03:00 +Unit=cert-renew.service + +[Install] +WantedBy=default.target diff --git a/privacyidea/mariadb/my.cnf.root b/privacyidea/mariadb/my.cnf.root new file mode 100644 index 0000000..b5ac578 --- /dev/null +++ b/privacyidea/mariadb/my.cnf.root @@ -0,0 +1,11 @@ +[mysqladmin] +user = root +password = gentoo + +[mysql] +user = root +password = gentoo + +[client] +user = root +password = gentoo diff --git a/privacyidea/package.accept_keywords b/privacyidea/package.accept_keywords new file mode 100644 index 0000000..1bd0427 --- /dev/null +++ b/privacyidea/package.accept_keywords @@ -0,0 +1,29 @@ +# privacyIDEA +dev-python/responses +dev-python/pyusb +dev-python/imagesize +dev-python/cookies +dev-python/python-gnupg +dev-python/ldap3 +dev-python/yubiotp +dev-python/pycrypto +dev-python/mysql-connector-python +dev-python/pytest-cov +dev-python/sphinx +dev-python/sphinxcontrib-applehelp +dev-python/sphinxcontrib-devhelp +dev-python/sphinxcontrib-jsmath +dev-python/sphinxcontrib-htmlhelp +dev-python/sphinxcontrib-serializinghtml +dev-python/sphinxcontrib-qthelp +dev-python/smpplib + +# grunt, wird nur zur privacyIDEA-Translation benötigt +dev-nodejs/* + +# stable kann kein python3 +net-fs/samba +sys-libs/ldb +sys-libs/talloc +sys-libs/tdb +sys-libs/tevent diff --git a/privacyidea/package.use b/privacyidea/package.use new file mode 100644 index 0000000..32a62c9 --- /dev/null +++ b/privacyidea/package.use @@ -0,0 +1,15 @@ +# privacyIDEA +www-apps/privacyidea hightokencount -translation +dev-python/sqlalchemy -sqlite +dev-python/netaddr -cli +dev-python/numpy lapack +dev-libs/c-blosc hdf5 +sys-devel/gcc fortran +sci-libs/hdf5 -cxx -fortran -hl + +# RADIUS (ohne Samba kein rlm_mschap.so) +net-dialup/freeradius kerberos ldap mysql -python samba +net-fs/samba ads gnutls ldap winbind + +# LDAP +net-nds/openldap overlays perl sasl diff --git a/privacyidea/privacyidea.cfg b/privacyidea/privacyidea.cfg new file mode 100644 index 0000000..bbdcb0e --- /dev/null +++ b/privacyidea/privacyidea.cfg @@ -0,0 +1,2 @@ +REPO_NAMES += unitas-privacyidea +REPO_URI_unitas-privacyidea = https://git.unitas-network.de/Gentoo/unitas-privacyidea.git diff --git a/privacyidea/world b/privacyidea/world new file mode 100644 index 0000000..1d04df5 --- /dev/null +++ b/privacyidea/world @@ -0,0 +1,5 @@ +app-crypt/certbot-apache +dev-db/mariadb +www-apps/privacyidea +www-apps/privacyideaadm +net-dialup/freeradius diff --git a/zabbix/Makefile b/zabbix/Makefile index fcd182a..889e4b2 100644 --- a/zabbix/Makefile +++ b/zabbix/Makefile @@ -1,9 +1,22 @@ -preinstall: - # hardcoded users and groups - $(inroot) useradd --system --comment="created from appliance building - zabbix user" --home-dir="/var/lib/zabbix/home" --shell="/sbin/nologin" --no-create-home --uid 600 --user-group zabbix +02firstboot = $(CHROOT)/etc/local.d/02firstboot.start +cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh +zabbix-userparameter = $(CHROOT)/var/lib/zabbix/userparameter_mysql.conf -postinstall: - # MariaDB-Konfiguration +systemd-units: appliance/MySQL-Backup.sh appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer + cp appliance/MySQL-Backup.sh $(CHROOT)/usr/local/bin/ + cp appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer $(CHROOT)/etc/systemd/system/ + +$(02firstboot): appliance/02firstboot.start + mkdir -p $(CHROOT)/etc/local.d + cp $< $@ + touch $(CHROOT)/02firstboot + +$(cert-renew.sh): appliance/cert-renew.sh + mkdir -p $(CHROOT)/etc/ssl + cp $< $@ + +$(CHROOT)/var/lib/mysql: mariadb/my.cnf.root + # MariaDB-Konfiguration ($$, weil make ein $ entfernt) sed -i "s/^character-set-server.*$$/character-set-server = utf8mb4/" $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf sed -iE 's/^\(log-bin\)/#\1/' $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf echo >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf @@ -13,31 +26,31 @@ postinstall: cp mariadb/my.cnf.root $(CHROOT)/root/.my.cnf chmod 0600 $(CHROOT)/root/.my.cnf rm -rf $(CHROOT)/var/lib/mysql/* - $(inroot) bash -c 'yes gentoo | emerge --config dev-db/mariadb' + RUN bash -c 'yes gentoo | emerge --config dev-db/mariadb' - # Apache-/PHP-Konfiguration +apache-php: sed -i 's:APACHE2_OPTS=\":APACHE2_OPTS=\"-D PHP :' $(CHROOT)/etc/conf.d/apache2 find $(CHROOT)/etc/php/apache2-*/ -iname php.ini -print | xargs \sed -i \ -e 's:.*date.timezone =.*:date.timezone = Europe/Berlin:' \ + -e 's:.*pcre.jit=.*:pcre.jit=0:' \ -e 's:.*max_execution_time =.*:max_execution_time = 300:' \ -e 's:.*max_input_time =.*:max_input_time = 300:' \ -e 's:.*post_max_size =.*:post_max_size = 16M:' \ -e 's:.*always_populate_raw_post_data =.*:always_populate_raw_post_data = -1:' - $(inroot) systemctl enable apache2 - # Add zabbix service definitions +zabbix-services: echo "zabbix-agent 10050/tcp Zabbix Agent" >> $(CHROOT)/etc/services echo "zabbix-agent 10050/udp Zabbix Agent" >> $(CHROOT)/etc/services echo "zabbix-trapper 10051/tcp Zabbix Trapper" >> $(CHROOT)/etc/services echo "zabbix-trapper 10051/udp Zabbix Trapper" >> $(CHROOT)/etc/services - # Install Zabbix webapp - $(inroot) webapp-config -h localhost -d zabbix -I zabbix `ls $(CHROOT)/usr/share/webapps/zabbix` +zabbix-webapp: + RUN webapp-config -h localhost -d zabbix -I zabbix `ls $(CHROOT)/usr/share/webapps/zabbix` cp $(CHROOT)/var/www/localhost/htdocs/zabbix/conf/zabbix.conf.php.example $(CHROOT)/var/www/localhost/htdocs/zabbix/conf/zabbix.conf.php # enable any language sed -i "s:'display' => false]:'display' => true]:" $(CHROOT)/var/www/localhost/htdocs/zabbix/include/locales.inc.php # im Zabbix-Ebuild wird fowners und fperms vor webapp_src_install aufgerufen und deswegen wieder überschrieben - $(inroot) chown -R zabbix:zabbix \ + RUN chown -R zabbix:zabbix \ /etc/zabbix \ /var/lib/zabbix \ /var/lib/zabbix/home \ @@ -54,9 +67,11 @@ postinstall: $(CHROOT)/var/lib/zabbix/externalscripts \ $(CHROOT)/var/log/zabbix - # Zabbix Agent - cp zabbix/userparameter_mysql.conf $(CHROOT)/var/lib/zabbix/userparameter_mysql.conf +$(zabbix-userparameter): zabbix/userparameter_mysql.conf + mkdir -p $(CHROOT)/var/lib/zabbix + cp $< $@ +zabbix-syslog: # Zabbix Syslog (https://github.com/v-zhuravlev/zabbix-syslog) mkdir -p $(CHROOT)/etc/zabbix/scripts/lib cp zabbix/zabbix-syslog/zabbix_syslog_create_urls.pl $(CHROOT)/etc/zabbix/scripts/zabbix_syslog_create_urls.pl @@ -64,15 +79,15 @@ postinstall: cp zabbix/zabbix-syslog/zabbix_syslog.cfg $(CHROOT)/etc/zabbix/zabbix_syslog.cfg cp zabbix/zabbix-syslog/lib/ZabbixAPI.pm $(CHROOT)/etc/zabbix/scripts/lib/ZabbixAPI.pm cp zabbix/zabbix-syslog/70-zabbix_rsyslog.conf $(CHROOT)/etc/rsyslog.d/70-zabbix_rsyslog.conf - $(inroot)chown -R zabbix:zabbix /etc/zabbix/scripts + RUN chown -R zabbix:zabbix /etc/zabbix/scripts chmod +x $(CHROOT)/etc/zabbix/scripts/zabbix_syslog_create_urls.pl chmod +x $(CHROOT)/etc/zabbix/scripts/zabbix_syslog_lkp_host.pl - # FPing - $(inroot)chmod u=rwsx,g=rx,o=rx /usr/sbin/fping - $(inroot)chmod u=rwsx,g=rx,o=rx /usr/sbin/fping6 +fping: + chmod u=rwsx,g=rx,o=rx $(CHROOT)/usr/sbin/fping + chmod u=rwsx,g=rx,o=rx $(CHROOT)/usr/sbin/fping6 - # SNMP +snmp: cp snmp/snmpd.conf $(CHROOT)/etc/snmp/snmpd.conf cp snmp/snmptrapd.conf $(CHROOT)/etc/snmp/snmptrapd.conf cp snmp/snmptt.conf $(CHROOT)/etc/snmp/snmptt.conf @@ -86,5 +101,9 @@ postinstall: -e 's:unknown_trap_log_enable = 0:unknown_trap_log_enable = 1:' \ $(CHROOT)/etc/snmp/snmptt.ini mkdir -p $(CHROOT)/var/log/snmptt - $(inroot)chmod 0775 /var/log/snmptt - $(inroot)chown zabbix:zabbix /var/log/snmptt + chmod 0775 $(CHROOT)/var/log/snmptt + RUN chown zabbix:zabbix /var/log/snmptt + +preinstall: + +postinstall: systemd-units $(02firstboot) $(cert-renew.sh) $(CHROOT)/var/lib/mysql apache-php zabbix-services zabbix-webapp $(zabbix-userparameter) zabbix-syslog fping snmp diff --git a/zabbix/appliance/02firstboot.start b/zabbix/appliance/02firstboot.start index c369bcf..e046cc0 100755 --- a/zabbix/appliance/02firstboot.start +++ b/zabbix/appliance/02firstboot.start @@ -2,7 +2,7 @@ # variables LABEL="DATA" -DATABASE_PASS="Di1sgMySQLPwd." +DATABASE_PASS=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16) TLD="example.com" HOST="zabbix" ORGNAME="Zabbix example" @@ -13,16 +13,59 @@ set -e [ -e /01firstboot ] && exit 0 [ -e /02firstboot ] || exit 0 +# Zabbix configuration +if [ ! -d "/$LABEL/etc/zabbix" ]; then + echo 'Create Zabbix Server config...' + mkdir -p /$LABEL/etc/zabbix + chown zabbix:zabbix /$LABEL/etc/zabbix + cp /etc/zabbix/zabbix_server.conf /$LABEL/etc/zabbix/zabbix_server.conf.orig + mv /etc/zabbix/zabbix_server.conf /$LABEL/etc/zabbix/zabbix_server.conf + ln -s /$LABEL/etc/zabbix/zabbix_server.conf /etc/zabbix/zabbix_server.conf + sed -i "s:# DBPassword=:DBPassword=${DATABASE_PASS}:" /$LABEL/etc/zabbix/zabbix_server.conf + + echo 'Create Zabbix Frontend config...' + mkdir -p /$LABEL/var/www/localhost/htdocs/zabbix/conf + cp /var/www/localhost/htdocs/zabbix/conf/zabbix.conf.php /$LABEL/var/www/localhost/htdocs/zabbix/conf/zabbix.conf.php.orig + mv /var/www/localhost/htdocs/zabbix/conf/zabbix.conf.php /$LABEL/var/www/localhost/htdocs/zabbix/conf/zabbix.conf.php + ln -s /$LABEL/var/www/localhost/htdocs/zabbix/conf/zabbix.conf.php /var/www/localhost/htdocs/zabbix/conf/zabbix.conf.php + sed -i "s:\$DB\['PASSWORD'\].*:\$DB\['PASSWORD'\] = '${DATABASE_PASS}';:" /$LABEL/var/www/localhost/htdocs/zabbix/conf/zabbix.conf.php +else + if [ ! -L /etc/zabbix/zabbix_server.conf ]; then + rm -rf /$LABEL/etc/zabbix/zabbix_server.conf.orig + mv /etc/zabbix/zabbix_server.conf /$LABEL/etc/zabbix/zabbix_server.conf.orig + else + rm -rf /etc/zabbix/zabbix_server.conf + fi + ln -s /$LABEL/etc/zabbix/zabbix_server.conf /etc/zabbix/zabbix_server.conf + + if [ ! -L /var/www/localhost/htdocs/zabbix/conf ]; then + rm -rf /$LABEL/var/www/localhost/htdocs/zabbix/conf.orig + mv /var/www/localhost/htdocs/zabbix/conf /$LABEL/var/www/localhost/htdocs/zabbix/conf.orig + else + rm -rf /var/www/localhost/htdocs/zabbix/conf + fi + ln -s /$LABEL/var/www/localhost/htdocs/zabbix/conf /var/www/localhost/htdocs/zabbix/conf +fi + # Database systemctl stop mariadb if [ ! -d "/$LABEL/var/lib/mysql/zabbix" ]; then echo 'Initialize MariaDB...' mkdir -p "/$LABEL/var/lib" rm -rf "/$LABEL/var/lib/mysql" - rm -rf "/$LABEL/var/lib/mysql.orig" - cp -a "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig" - mv "/var/lib/mysql" "/$LABEL/var/lib/mysql" - ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql" + if [ ! -L /var/lib/mysql ]; then + rm -rf "/$LABEL/var/lib/mysql.orig" + cp -a "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig" + mv "/var/lib/mysql" "/$LABEL/var/lib/mysql" + ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql" + elif [ -d "/$LABEL/var/lib/mysql.orig" ]; then + cp -a "/$LABEL/var/lib/mysql.orig" "/$LABEL/var/lib/mysql" + rm -rf "/var/lib/mysql" + ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql" + else + echo '### ERROR initialize database !!! ###' + exit 1 + fi systemctl start mariadb sleep 5 @@ -41,50 +84,51 @@ else if [ ! -L /var/lib/mysql ]; then rm -rf "/$LABEL/var/lib/mysql.orig" mv "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig" - ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql" + else + rm -f "/var/lib/mysql" fi + ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql" systemctl start mariadb fi -echo 'Enable database...' -systemctl enable mariadb -# Certificates -if [ ! -f "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" ]; then - echo 'Create certificates...' - mkdir -p "/$LABEL/CERTS/KEYS/" - mkdir -p "/$LABEL/CERTS/$HOST.$TLD" - echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" - echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" - echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" - echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" - echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" - echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" - openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem" - cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem" - touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem" -fi - -# Zabbix -echo 'Start Zabbix...' -if [ ! -f "/$LABEL/etc/zabbix/zabbix_server.conf" ]; then - mkdir -p "/$LABEL/etc/zabbix" - chown zabbix:zabbix "/$LABEL/etc/zabbix" - cp /etc/zabbix/zabbix_server.conf "/$LABEL/etc/zabbix/zabbix_server.conf.orig" - mv /etc/zabbix/zabbix_server.conf "/$LABEL/etc/zabbix/zabbix_server.conf" - sed -i "s:# DBPassword=:DBPassword=${DATABASE_PASS}:" "/$LABEL/etc/zabbix/zabbix_server.conf" - ln -s "/$LABEL/etc/zabbix/zabbix_server.conf" "/etc/zabbix/zabbix_server.conf" - - mkdir -p "/$LABEL/etc/zabbix" - chown zabbix:zabbix "/$LABEL/etc/zabbix" - cp /etc/zabbix/zabbix_server.conf "/$LABEL/etc/zabbix/zabbix_server.conf.orig" - mv /etc/zabbix/zabbix_server.conf "/$LABEL/etc/zabbix/zabbix_server.conf" - sed -i "s:\$DB\['PASSWORD'\].*:\$DB\['PASSWORD'\] = '${DATABASE_PASS}';:" /var/www/localhost/htdocs/zabbix/conf/zabbix.conf.php +if [ -x "/$LABEL/etc/ssl/cert-renew.sh" ]; then + # angepaßtes Zertifikat vorhanden (kein example) + if [ ! -L /etc/ssl/cert-renew.sh ]; then + rm -f "/$LABEL/etc/ssl/cert-renew.sh.orig" + mv "/etc/ssl/cert-renew.sh" "/$LABEL/etc/ssl/cert-renew.sh.orig" + else + rm -f "/etc/ssl/cert-renew.sh" + fi + ln -s "/$LABEL/etc/ssl/cert-renew.sh" "/etc/ssl/cert-renew.sh" else - + echo 'Create example certificate...' + mkdir -p "/$LABEL/CERTS/KEYS/" + mkdir -p "/$LABEL/CERTS/$HOST.$TLD" + echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem" + cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem" + touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem" fi -systemctl start zabbix-server -systemctl enable zabbix-server -systemctl start zabbix-agentd -systemctl enable zabbix-agentd -rm /firstboot +rm -rf /etc/ssl/apache2 +mkdir -p /etc/ssl +ln -sf "/$LABEL/etc/ssl/apache2" "/etc/ssl/apache2" + +/etc/ssl/cert-renew.sh + +systemctl enable mariadb +systemctl enable zabbix-server +systemctl enable zabbix-agentd +systemctl enable apache2 + +systemctl restart zabbix-server +systemctl restart zabbix-agentd +systemctl restart apache2 + +rm /02firstboot + diff --git a/zabbix/appliance/MySQL-Backup.sh b/zabbix/appliance/MySQL-Backup.sh new file mode 100755 index 0000000..19ccfc9 --- /dev/null +++ b/zabbix/appliance/MySQL-Backup.sh @@ -0,0 +1,32 @@ +#!/bin/bash +PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" + +DIR="/DATA/Backup/MySQL" + +if [ -z $1 ]; then + echo "database name missing! use --all for all db's" + exit 1; +elif [ $1 = '--all' ]; then + echo "full backup" + for i in `mysqlshow --defaults-file=/root/.my.cnf | awk '{print $2}' | grep -v Databases`; do + if [ "$i" != "information_schema" ] && [ "$i" != "performance_schema" ]; then + if test -f ${DIR}/${i}.sql; then + echo "Move ${DIR}/${i}.sql to ${DIR}/${i}.sql.1" + mv ${DIR}/${i}.sql ${DIR}/${i}.sql.1 + fi + echo "dump ${i} to ${DIR}/${i}.sgl" + mysqldump --defaults-file=/root/.my.cnf --single-transaction --events --opt -QF -r${DIR}/${i}.sql $i + chmod 600 ${DIR}/${i}.sql + fi + done; +elif [ -n $1 ]; then + echo "Starting backup of $1" + if test -f $DIR/$1.sql; then + echo "Move $DIR/$1.sql to $DIR/$1.sql.1" + mv ${DIR}/${1}.sql ${DIR}/${1}.sql.1 + fi + mysqldump --defaults-file=/root/.my.cnf --single-transaction --opt -QF -r${DIR}/${1}.sql $1 + chmod 600 ${DIR}/${1}.sql +fi +echo "Done" +exit 0; diff --git a/zabbix/appliance/backup.service b/zabbix/appliance/backup.service new file mode 100644 index 0000000..13ca921 --- /dev/null +++ b/zabbix/appliance/backup.service @@ -0,0 +1,8 @@ +[Unit] +Description=execute backup tasks +RefuseManualStart=no +RefuseManualStop=yes + +[Service] +Type=oneshot +ExecStart=/usr/local/bin/MySQL-Backup.sh --all diff --git a/zabbix/appliance/backup.timer b/zabbix/appliance/backup.timer new file mode 100644 index 0000000..ec59929 --- /dev/null +++ b/zabbix/appliance/backup.timer @@ -0,0 +1,12 @@ +[Unit] +Description=execute backup tasks +RefuseManualStart=no +RefuseManualStop=no + +[Timer] +Persistent=false +OnCalendar=Sun *-*-* 02:19:00 +Unit=backup.service + +[Install] +WantedBy=default.target diff --git a/zabbix/appliance/cert-renew.service b/zabbix/appliance/cert-renew.service new file mode 100644 index 0000000..59ec86d --- /dev/null +++ b/zabbix/appliance/cert-renew.service @@ -0,0 +1,8 @@ +[Unit] +Description=renew certificates from git store +RefuseManualStart=no +RefuseManualStop=yes + +[Service] +Type=oneshot +ExecStart=/etc/ssl/cert-renew.sh diff --git a/zabbix/appliance/cert-renew.sh b/zabbix/appliance/cert-renew.sh index 93dbfca..07747a4 100755 --- a/zabbix/appliance/cert-renew.sh +++ b/zabbix/appliance/cert-renew.sh @@ -1,13 +1,12 @@ #!/bin/bash -HOST="ejabberd" +HOST="zabbix" TLD="example.com" FQDN="$HOST.$TLD" LABEL="DATA" CERT_DIR=/$LABEL/CERTS -CERT_EJABBERD=/$LABEL/etc/ssl/ejabberd -CERT_NGINX=/$LABEL/etc/ssl/nginx +CERT_APACHE=/$LABEL/etc/ssl/apache2 GETREPO="" GETUSER="" GETPASS="" @@ -42,25 +41,12 @@ echo "new: $GIT_NEW_REVISION" if [ $GIT_REVISION != $GIT_NEW_REVISION ] then - echo "Update Ejabberd certificate..." - mkdir -p $CERT_EJABBERD - cp $CERT_DIR/$FQDN/$FQDN-fullchain.pem $CERT_EJABBERD/server.pem - cp $CERT_DIR/KEYS/$FQDN-key.pem $CERT_EJABBERD/server.key - chown root:jabber $CERT_EJABBERD/server.* - chmod 444 $CERT_EJABBERD/server.pem - chmod 440 $CERT_EJABBERD/server.key - echo "Restart Ejabberd..." - systemctl restart ejabberd - - echo "Update Nginx certificate..." - mkdir -p $CERT_NGINX - cp $CERT_DIR/$FQDN/$FQDN-fullchain.pem $CERT_NGINX/nginx.pem - cp $CERT_DIR/KEYS/$FQDN-key.pem $CERT_NGINX/nginx.key - chown nginx:nginx $CERT_NGINX/nginx.* - chmod 444 $CERT_NGINX/nginx.pem - chmod 400 $CERT_NGINX/nginx.key - echo "Restart Nginx..." - systemctl restart nginx + echo "Update Apache certificate..." + mkdir -p $CERT_APACHE + cp $CERT_DIR/$FQDN/$FQDN-fullchain.pem $CERT_APACHE/server.crt + cp $CERT_DIR/KEYS/$FQDN-key.pem $CERT_APACHE/server.key + echo "Restarting Apache..." + systemctl is-active --quiet apache2 && systemctl restart apache2 fi exit 0 diff --git a/zabbix/appliance/cert-renew.timer b/zabbix/appliance/cert-renew.timer new file mode 100644 index 0000000..fa2ee54 --- /dev/null +++ b/zabbix/appliance/cert-renew.timer @@ -0,0 +1,12 @@ +[Unit] +Description=renew certificates from git store +RefuseManualStart=no +RefuseManualStop=no + +[Timer] +Persistent=false +OnCalendar=Sun *-*-* 04:03:00 +Unit=cert-renew.service + +[Install] +WantedBy=default.target diff --git a/zabbix/mariadb/my.cnf.root b/zabbix/mariadb/my.cnf.root index 12ef61a..b5ac578 100644 --- a/zabbix/mariadb/my.cnf.root +++ b/zabbix/mariadb/my.cnf.root @@ -5,3 +5,7 @@ password = gentoo [mysql] user = root password = gentoo + +[client] +user = root +password = gentoo diff --git a/zabbix/package.keywords b/zabbix/package.accept_keywords similarity index 100% rename from zabbix/package.keywords rename to zabbix/package.accept_keywords